I use KeePass + Dropbox to manage and synchronize my passwords across my devices. This system works really great and I trust KeePass' security model.

However my biggest remaining concern is the master password as I am worried about not being able to protect my PC against keyloggers. To alleviate this fear I want to introduce a second factor of authentication.

KeePass only really allows for using a keyfile as a second authentication factor, and while storing a keyfile on a USB thumb drive does seem like a secure solution it also is too restrictive for me. If I was to use a keyfile, I would probably store it on Dropbox but does this really add any additional security at all? My thinking is that if my master password is compromised then in order for the attacker to succeed he will also need my KeePass database. If he has access to that then he will most likely also have access to the keyfile so I've gained no additional security.

Any comments or suggestions for a better setup which doesn't add too much overhead?

Your best option, if available to you, is to use the suggestion above plus having keypass installed on a remote machine which you know is (better) physically secured. This essentially expands @Rory Alsop's suggestion to something actionable.

I think your security model has a couple of potential flaws here - I'll list the potential issues I can see, and you can let me know if they are valid worries in your particular circumstances:

If you have a real worry about not being able to secure your PC against keyloggers, the implication is that an attacker could install anything - which to my mind means game over: they can extract all the data from your KeePass whether you log on with a token or not by grabbing that data next time you use KeePass.

(in addition storing on DropBox means they could potentially carry out this attack from other locations by sharing your DropBox as per this vulnerability.)

Your only real protection against a threat actor which you think can compromise your machine is to not use that machine (unless you can configure it in such a way that they can't compromise it, of course) and do something like use KeePass on a mobile device (where
your risk becomes one of losing your device or having it stolen...)

Definitely agree here. If you're looking to defend your KeePass against a computer pwner, keyfiles aren't going to help you. The only second factor that can offer any level of actual protection on a compromised computer is a hardware token like RSA SecurID. Even then, your current session can still get hijacked. But, with an RSA SecurID token or similar device in use, it is less likely that they will be able to independently authenticate as you in the future.
–
IsziMay 12 '11 at 13:10